Re: [PATCH] netfilter: nft_ct: add ct expectations support

On 2019-05-04, at 19:35:41 +0200, Stéphane Veyret wrote: > This patch allows to add, list and delete expectations via nft objref > infrastructure and assigning these expectations via nft rule. > > Signed-off-by: Stéphane Veyret > --- > include/uapi/linux/netfilter/nf_tables.h | 15 ++- > net/netfil

[PATCH] Added extern "C" declarations to header-files.

Declare functions with extern "C" for inclusion in C++. Reported-by: Stefan Laufmann Signed-off-by: Jeremy Sowden --- include/libnetfilter_log/libipulog.h| 8 include/libnetfilter_log/libnetfilter_log.h | 8 2 files changed, 16 insertions(+) diff --git

Re: [PATCH] Added extern "C" declarations to header-files.

On 2019-07-03, at 13:35:35 +0200, Pablo Neira Ayuso wrote: > On Wed, Jul 03, 2019 at 12:25:38PM +0100, Jeremy Sowden wrote: > > Declare functions with extern "C" for inclusion in C++. > > Applied, thanks. > > Please, next time specify [PATCH libnetfilter_log] so we

Re: json_cmd_assoc and cmd

On 2019-07-16, at 21:39:03 +0200, Pablo Neira Ayuso wrote: > BTW, not directly related to this, but isn't this strange? > > list_for_each_entry(cmd, cmds, list) { > memset(&ctx, 0, sizeof(ctx)); > ctx.msgs = msgs; > ctx.seqnum = cmd->seqnum =

Re: json_cmd_assoc and cmd

On 2019-07-18, at 16:57:22 +0200, Pablo Neira Ayuso wrote: > On Thu, Jul 18, 2019 at 01:37:04PM +0100, Jeremy Sowden wrote: > > On 2019-07-16, at 21:39:03 +0200, Pablo Neira Ayuso wrote: > > > BTW, not directly related to this, but isn't this strange? > > > >

[PATCH nft] libnftables: got rid of repeated initialization of netlink_ctx variable in loop.

Most members in the context doesn't change, so there is no need to memset it and reassign most of its members on every iteration. Moved that code out of the loop. Fixes: 49900d448ac9 ("libnftables: Move library stuff out of main.c") Reported-by: Pablo Neira Ayuso Signed-off-by

[PATCH nft v2 2/2] rule: removed duplicate member initializer.

Initialization of a netlink_ctx included two initializers for .nft. Removed one of them. Fixes: 2dc07bcd7eaa ("src: pass struct nft_ctx through struct netlink_ctx") Signed-off-by: Jeremy Sowden --- src/rule.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/rule.c b/src/ru

[PATCH nft v2 1/2] libnftables: got rid of repeated initialization of netlink_ctx variable in loop.

Most members in the context doesn't change, so there is no need to memset it and reassign them on every iteration. Moved that code out of the loop. Fixes: a72315d2bad4 ("src: add rule batching support") Reported-by: Pablo Neira Ayuso Signed-off-by: Jeremy Sowden --- src/lib

[PATCH nft v2 0/2] netlink_ctx initialization fixes.

it in "Fixes:" tag in first patch. * Added second patch. Jeremy Sowden (2): libnftables: got rid of repeated initialization of netlink_ctx variable in loop. rule: removed duplicate member initializer. src/libnftables.c | 23 ++- src/rule.c| 1 - 2 fi

Re: [PATCH nft,v1 2/2] src: add tunnel expression support

On 2019-07-25, at 11:14:00 +0200, Pablo Neira Ayuso wrote: > This patch allows you to match on tunnel metadata. > > Signed-off-by: Pablo Neira Ayuso > --- > include/Makefile.am | 4 ++- > include/expression.h | 6 > include/tunnel.h | 33 + > src/Mak

Re: xtables addons build on 5.2.6 ends with error: 'struct shash_desc' has no member named 'flags'

On 2019-08-11, at 11:40:20 +0200, Franta Hanzlík wrote: > I'm using xtables-addons-3.3 on Fedora 30 from freshrpms, which is builded > via akmods. On kernel 5.1.20-300.fc30 it build fine, but on 5.2.6-200.fc30 > it ends with error: > [...] > > I report it as issue against Fedora 30 kernel-5.2.6, bu

[PATCH xtables-addons 2/2] xt_DHCPMAC: replaced skb_make_writable with skb_ensure_writable.

skb_make_writable was removed from the kernel in 5.2 and its callers converted to use skb_ensure_writable. Signed-off-by: Jeremy Sowden --- extensions/xt_DHCPMAC.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/xt_DHCPMAC.c b/extensions/xt_DHCPMAC.c index

[PATCH xtables-addons 1/2] xt_pknock, xt_SYSRQ: don't set shash_desc::flags.

shash_desc::flags was removed from the kernel in 5.1. Signed-off-by: Jeremy Sowden --- extensions/pknock/xt_pknock.c | 1 - extensions/xt_SYSRQ.c | 1 - 2 files changed, 2 deletions(-) diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c index c76901ac4c1a

Re: [PATCH xtables-addons 2/2] xt_DHCPMAC: replaced skb_make_writable with skb_ensure_writable.

On 2019-08-11, at 20:42:17 +0200, Florian Westphal wrote: > Jeremy Sowden wrote: > > skb_make_writable was removed from the kernel in 5.2 and its callers > > converted to use skb_ensure_writable. > > > > Signed-off-by: Jeremy Sowden > > --- > > extensions/

[PATCH xtables-addons v2 1/2] xt_pknock, xt_SYSRQ: don't set shash_desc::flags.

shash_desc::flags was removed from the kernel in 5.1. Signed-off-by: Jeremy Sowden --- extensions/pknock/xt_pknock.c | 1 - extensions/xt_SYSRQ.c | 1 - 2 files changed, 2 deletions(-) diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c index c76901ac4c1a

[PATCH xtables-addons v2 2/2] xt_DHCPMAC: replaced skb_make_writable with skb_ensure_writable.

skb_make_writable was removed from the kernel in 5.2 and its callers converted to use skb_ensure_writable. Signed-off-by: Jeremy Sowden --- extensions/xt_DHCPMAC.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/extensions/xt_DHCPMAC.c b/extensions/xt_DHCPMAC.c index

[PATCH xtables-addons v2 0/2] Kernel API updates

v3.3 of xtables-addons does not compile against v5.2 of the kernel owing to a couple of kernel API changes. These two patches update the broken extensions to work with the new API's. Jeremy Sowden (2): xt_pknock, xt_SYSRQ: don't set shash_desc::flags. xt_DHCPMAC: replaced skb_mak

Re: [PATCH xtables-addons v2 0/2] Kernel API updates

On 2019-08-12, at 12:57:40 +0100, Jeremy Sowden wrote: > v3.3 of xtables-addons does not compile against v5.2 of the kernel > owing to a couple of kernel API changes. These two patches update the > broken extensions to work with the new API's. > > Jeremy Sowden (2): > xt_

Re: [PATCH xtables-addons v2 1/2] xt_pknock, xt_SYSRQ: don't set shash_desc::flags.

On 2019-08-12, at 23:17:52 +0800, Jan Engelhardt wrote: > On Monday 2019-08-12 19:57, Jeremy Sowden wrote: > >shash_desc::flags was removed from the kernel in 5.1. > > > >Signed-off-by: Jeremy Sowden > >--- > > extensions/pknock/xt_pknock.c | 1 - > > ex

Re: [nf-next:master 14/17] include/uapi/linux/netfilter_ipv6/ip6t_LOG.h:5:2: warning: #warning "Please update iptables, this file will be removed soon!"

On 2019-08-14, at 09:45:39 +0200, Pablo Neira Ayuso wrote: > On Wed, Aug 14, 2019 at 06:05:49AM +0800, kbuild test robot wrote: > > tree: > > https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next.git > > master > > head: 105333435b4f3b21ffc325f32fae17719310db64 > > commit: 2a

[PATCH nf-next] netfilter: remove deprecation warnings from uapi headers.

and remove these, but userspace was never updated. Remove the warnings. Fixes: 2a475c409fe8 ("kbuild: remove all netfilter headers from header-test blacklist.") Reported-by: kbuild test robot Signed-off-by: Jeremy Sowden --- include/uapi/linux/netfilter_ipv4/ipt_LOG.h | 2 -- in

Re: [PATCH xtables-addons v2 1/2] xt_pknock, xt_SYSRQ: don't set shash_desc::flags.

On 2019-08-19, at 21:34:11 +0200, Franta Hanzlík wrote: > On Mon, 12 Aug 2019 17:57:31 +0100 Jeremy Sowden wrote: > > On 2019-08-12, at 23:17:52 +0800, Jan Engelhardt wrote: > > > On Monday 2019-08-12 19:57, Jeremy Sowden wrote: > > > >shash_desc::flags was

[PATCH nf-next 01/29] netfilter: add include guard to nf_conntrack_h323_types.h

From: Masahiro Yamada Add a header include guard just in case. Signed-off-by: Masahiro Yamada Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nf_conntrack_h323_types.h | 5 + 1 file changed, 5 insertions(+) diff --git a/include/linux/netfilter/nf_conntrack_h323_types.h b/in

[PATCH nf-next 05/29] netfilter: remove trailing white-space.

Several header-files, Kconfig files and Makefiles have trailing white-space. Remove it. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/x_tables.h | 2 +- include/linux/netfilter_ipv6.h | 2 +- include/net/netfilter/nf_conntrack_expect.h | 2 +- include/net

[PATCH nf-next 00/29] Add config option checks to netfilter headers.

ption, but that would have meant an addi- tional 44 patches, so I squashed them all before sending the series, although it has resulted in a 2,000-line patch that touches 78 files. Jeremy Sowden (28): netfilter: add include guard to nf_conntrack_labels.h. netfilter: fix includ

[PATCH nf-next 09/29] netfilter: remove unused includes.

Some header-files are included in places where they are not needed. Remove them. Signed-off-by: Jeremy Sowden --- net/bridge/netfilter/nf_conntrack_bridge.c | 1 - net/ipv6/netfilter/nf_socket_ipv6.c| 1 - net/netfilter/xt_physdev.c | 1 - 3 files changed, 3 deletions

[PATCH nf-next 04/29] netfilter: add GPL-2.0 SPDX ID's to a couple of headers.

Two headers are missing SPDX licence identifiers. They contain copyright notices indicating that the code is GPL. Add GPL-2.0 identifiers. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_ipv4.h | 3 ++- include/linux/netfilter_ipv6.h | 3 ++- 2 files changed, 4 insertions(+), 2

[PATCH nf-next 02/29] netfilter: add include guard to nf_conntrack_labels.h.

nf_conntrack_labels.h has no include guard. Add it. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_labels.h | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter

[PATCH nf-next 07/29] netfilter: remove stray semicolons.

There are a couple of semicolons at the end of function definitions. Remove them. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_acct.h | 2 +- include/net/netfilter/nf_conntrack_ecache.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/net

[PATCH nf-next 08/29] netfilter: remove unused function declarations.

Two headers include declarations of functions which are never defined. Remove them. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_ipv4/ip_tables.h | 2 -- include/linux/netfilter_ipv6/ip6_tables.h | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/include/linux

[PATCH nf-next 06/29] netfilter: fix Kconfig formatting error.

Indent the type of CONFIG_NETFILTER_NETLINK_ACCT correctly. Signed-off-by: Jeremy Sowden --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 6244bf3de4af..34ec7afec116 100644 --- a/net/netfilter

[PATCH nf-next 03/29] netfilter: fix include guard comment.

The comment following the #endif in the nf_flow_table.h include guard referred to the wrong macro. Fix it. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_flow_table.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include

[PATCH nf-next 22/29] netfilter: wrap some nat-related conntrack code in a CONFIG_NF_NAT check.

nf_conntrack_update uses nf_nat_hook to do some nat stuff. However, it will only be not NULL if CONFIG_NF_NAT is enabled. Wrap the code in a CONFIG_NF_NAT check to skip it altogether. Signed-off-by: Jeremy Sowden --- net/netfilter/nf_conntrack_core.c | 4 1 file changed, 4 insertions

[PATCH nf-next 25/29] netfilter: add CONFIG_NETFILTER check to linux/netfilter.h.

The bulk of this header is already wrapped in CONFIG_NETFILTER or CONFIG_NF_CONNTRACK checks. The last few definitions are also only required if CONFIG_NETFILTER is enabled. Add another conditional for that remainder. Signed-off-by: Jeremy Sowden --- include/linux/netfilter.h | 7 +++ 1

[PATCH nf-next 15/29] netfilter: move code between synproxy headers.

There is some non-conntrack code in the nf_conntrack_synproxy.h header. Move it to the nf_synproxy.h header. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_synproxy.h | 39 --- include/net/netfilter/nf_synproxy.h | 38 ++ 2 files

[PATCH nf-next 27/29] netfilter: add IP_SET_BITMAP config option.

Add a hidden tristate option which is selected by all the IP_SET_BITMAP_* options. It will be used to wrap ip_set_bitmap.h. Signed-off-by: Jeremy Sowden --- net/netfilter/ipset/Kconfig | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset

[PATCH nf-next 12/29] netfilter: inline three headers.

Three netfilter headers are only included once. Inline their contents at those sites and remove them. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/xt_hashlimit.h | 11 --- include/linux/netfilter/xt_physdev.h | 8 include/linux/netfilter_bridge/ebt_802_3

[PATCH nf-next 11/29] netfilter: added missing includes.

Include some headers in files which use them. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_core.h | 3 ++- include/net/netfilter/nf_nat.h| 5 +++-- include/net/netfilter/nf_nat_masquerade.h | 1 + net/netfilter/nf_conntrack_ecache.c | 1 + net/netfilter

[PATCH nf-next 24/29] netfilter: wrap some conntrack code in a CONFIG_NF_CONNTRACK check.

struct nf_conntrack_zone is only required if CONFIG_NF_CONNTRACK. Wrap its definition in a CONFIG_NF_CONNTRACK check. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/nf_conntrack_zones_common.h | 4 1 file changed, 4 insertions(+) diff --git a/include/linux/netfilter

[PATCH nf-next 26/29] netfilter: add NF_TPROXY config option.

Add a hidden tristate option which is select by NF_TPROXY_IPV4 and NF_TPROXY_IPV6. It will be used to wrap nf_tproxy.h. Signed-off-by: Jeremy Sowden --- net/ipv4/netfilter/Kconfig | 1 + net/ipv6/netfilter/Kconfig | 1 + net/netfilter/Kconfig | 3 +++ 3 files changed, 5 insertions

[PATCH nf-next 18/29] netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...).

A few headers contain instances of: #if defined(CONFIG_XXX) or defined(CONFIG_XXX_MODULE) Replace them with: #if IS_ENABLED(CONFIG_XXX) Signed-off-by: Jeremy Sowden --- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set_getport.h | 2 +- include

[PATCH nf-next 19/29] netfilter: wrap union nf_conntrack_proto members in CONFIG_NF_CT_PROTO_* check.

dccp, sctp and gre are only used in code enabled by particular CONFIG_NF_CT_PROTO_* options. Wrap them in the checks for those options. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack.h | 6 ++ 1 file changed, 6 insertions(+) diff --git a/include/net/netfilter

[PATCH nf-next 14/29] netfilter: move inline function to a more appropriate header.

There is an inline function in ip6_tables.h which is not specific to ip6tables and is used elswhere in netfilter. Move it into netfilter_ipv6.h and update the callers. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_ipv6.h| 12 include/linux/netfilter_ipv6

[PATCH nf-next 28/29] netfilter: add IP_SET_HASH config option.

Add a hidden tristate option which is selected by all the IP_SET_HASH_* options. It will be used to wrap ip_set_hash.h. Signed-off-by: Jeremy Sowden --- net/netfilter/ipset/Kconfig | 15 +++ 1 file changed, 15 insertions(+) diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter

[PATCH nf-next 17/29] netfilter: use consistent style when defining inline functions in nf_conntrack_ecache.h.

(...) { ... } #endif Prefer the former style, which is more numerous. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_ecache.h | 82 + 1 file changed, 50 insertions(+), 32 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net

[PATCH nf-next 13/29] netfilter: remove superfluous header.

nf_conntrack_icmpv6.h contains two object macros which duplicate macros in linux/icmpv6.h. The latter definitions are also visible wherever it is included, so remove it. Signed-off-by: Jeremy Sowden --- .../net/netfilter/ipv6/nf_conntrack_icmpv6.h | 21 --- include/net

[PATCH nf-next 20/29] netfilter: wrap inline synproxy function in CONFIG_NETFILTER_SYNPROXY check.

nf_conntrack_synproxy.h contains three inline functions. The contents of two of them are wrapped in CONFIG_NETFILTER_SYNPROXY checks and just return NULL if it is not enabled. The third does nothing if they return NULL, so wrap its contents as well. Signed-off-by: Jeremy Sowden --- include

[PATCH nf-next 29/29] netfilter: wrap headers in CONFIG checks.

in order to avoid having to update inclusions in other parts of the kernel. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/ipset/ip_set.h| 7 ++- include/linux/netfilter/ipset/ip_set_bitmap.h | 4 .../linux/netfilter/ipset/ip_set_getport.h| 4 include/linux

[PATCH nf-next 16/29] netfilter: move struct definition function to a more appropriate header.

There is a struct definition function in nf_conntrack_bridge.h which is not specific to conntrack and is used elswhere in netfilter. Move it into netfilter.h. Signed-off-by: Jeremy Sowden --- include/linux/netfilter.h | 7 +++ include/linux/netfilter_ipv6.h

[PATCH nf-next 10/29] netfilter: include the right header in nf_conntrack_zones.h.

nf_conntrack_zones.h includes nf_conntrack_extend.h, but it doesn't actually use anything from it. It does, however, require stuff from nf_conntrack.h which it includes transitively. Include nf_conntrack.h directly instead. Signed-off-by: Jeremy Sowden --- include/net/netf

[PATCH nf-next 21/29] netfilter: wrap inline timeout function in CONFIG_NETFILTER_TIMEOUT check.

nf_ct_timeout_data is only called if CONFIG_NETFILTER_TIMEOUT is enabled. Wrap its contents in a CONFIG_NETFILTER_TIMEOUT check like the other inline functions in nf_conntrack_timeout.h. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_timeout.h | 4 1 file changed, 4

[PATCH nf-next 23/29] netfilter: wrap some ipv6 tables code in a CONFIG_NF_TABLES_IPV6 check.

nft_set_pktinfo_ipv6_validate does nothing unless CONFIG_IPV6, and therefore by implication CONFIG_NF_TABLES_IPV6, is enabled. Wrap the calls in a CONFIG_NF_TABLES_IPV6 check. Signed-off-by: Jeremy Sowden --- net/netfilter/nft_chain_filter.c | 4 1 file changed, 4 insertions(+) diff

[PATCH nf-next v2 02/30] netfilter: add include guard to nf_conntrack_labels.h.

nf_conntrack_labels.h has no include guard. Add it. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_labels.h | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter

[PATCH nf-next v2 09/30] netfilter: remove unused includes.

Some header-files are included in places where they are not needed. Remove them. Signed-off-by: Jeremy Sowden --- net/bridge/netfilter/nf_conntrack_bridge.c | 1 - net/ipv6/netfilter/nf_socket_ipv6.c| 1 - net/netfilter/xt_physdev.c | 1 - 3 files changed, 3 deletions

[PATCH nf-next v2 03/30] netfilter: fix include guard comment.

The comment following the #endif in the nf_flow_table.h include guard referred to the wrong macro. Fix it. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_flow_table.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include

[PATCH nf-next v2 01/30] netfilter: add include guard to nf_conntrack_h323_types.h

From: Masahiro Yamada Add a header include guard just in case. Signed-off-by: Masahiro Yamada Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nf_conntrack_h323_types.h | 5 + 1 file changed, 5 insertions(+) diff --git a/include/linux/netfilter/nf_conntrack_h323_types.h b/in

[PATCH nf-next v2 00/30] Add config option checks to netfilter headers.

f new NF_TPROXY config option. Jeremy Sowden (29): netfilter: add include guard to nf_conntrack_labels.h. netfilter: fix include guard comment. netfilter: add GPL-2.0 SPDX ID's to a couple of headers. netfilter: remove trailing white-space. netfilter: fix Kconfig formatting error.

[PATCH nf-next v2 05/30] netfilter: remove trailing white-space.

Several header-files, Kconfig files and Makefiles have trailing white-space. Remove it. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/x_tables.h | 2 +- include/linux/netfilter_ipv6.h | 2 +- include/net/netfilter/nf_conntrack_expect.h | 2 +- include/net

[PATCH nf-next v2 04/30] netfilter: add GPL-2.0 SPDX ID's to a couple of headers.

Two headers are missing SPDX licence identifiers. They contain copyright notices indicating that the code is GPL. Add GPL-2.0 identifiers. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_ipv4.h | 3 ++- include/linux/netfilter_ipv6.h | 3 ++- 2 files changed, 4 insertions(+), 2

[PATCH nf-next v2 07/30] netfilter: remove stray semicolons.

There are a couple of semicolons at the end of function definitions. Remove them. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_acct.h | 2 +- include/net/netfilter/nf_conntrack_ecache.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/net

[PATCH nf-next v2 06/30] netfilter: fix Kconfig formatting error.

Indent the type of CONFIG_NETFILTER_NETLINK_ACCT correctly. Signed-off-by: Jeremy Sowden --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 6244bf3de4af..34ec7afec116 100644 --- a/net/netfilter

[PATCH nf-next v2 08/30] netfilter: remove unused function declarations.

Two headers include declarations of functions which are never defined. Remove them. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_ipv4/ip_tables.h | 2 -- include/linux/netfilter_ipv6/ip6_tables.h | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/include/linux

[PATCH nf-next v2 13/30] netfilter: inline three headers.

Three netfilter headers are only included once. Inline their contents at those sites and remove them. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/xt_hashlimit.h | 11 --- include/linux/netfilter/xt_physdev.h | 8 include/linux/netfilter_bridge/ebt_802_3

[PATCH nf-next v2 26/30] netfilter: add CONFIG_NETFILTER check to linux/netfilter.h.

The bulk of this header is already wrapped in CONFIG_NETFILTER or CONFIG_NF_CONNTRACK checks. The last few definitions are also only required if CONFIG_NETFILTER is enabled. Add another conditional for that remainder. Signed-off-by: Jeremy Sowden --- include/linux/netfilter.h | 7 +++ 1

[PATCH nf-next v2 21/30] netfilter: wrap inline synproxy function in CONFIG_NETFILTER_SYNPROXY check.

nf_conntrack_synproxy.h contains three inline functions. The contents of two of them are wrapped in CONFIG_NETFILTER_SYNPROXY checks and just return NULL if it is not enabled. The third does nothing if they return NULL, so wrap its contents as well. Signed-off-by: Jeremy Sowden --- include

[PATCH nf-next v2 14/30] netfilter: remove superfluous header.

nf_conntrack_icmpv6.h contains two object macros which duplicate macros in linux/icmpv6.h. The latter definitions are also visible wherever it is included, so remove it. Signed-off-by: Jeremy Sowden --- .../net/netfilter/ipv6/nf_conntrack_icmpv6.h | 21 --- include/net

[PATCH nf-next v2 16/30] netfilter: move code between synproxy headers.

There is some non-conntrack code in the nf_conntrack_synproxy.h header. Move it to the nf_synproxy.h header. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_synproxy.h | 39 --- include/net/netfilter/nf_synproxy.h | 38 ++ 2 files

[PATCH nf-next v2 11/30] netfilter: fix inclusions of .

Three files include linux/netfilter/nf_nat.h, which doesn't exist, instead of uapi/linux/netfilter/nf_nat.h. Fix them. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_nat.h | 5 - net/netfilter/nf_nat_core.c| 6 +++--- net/sched/act_ct.c | 2 +- 3 files chang

[PATCH nf-next v2 20/30] netfilter: wrap union nf_conntrack_proto members in CONFIG_NF_CT_PROTO_* check.

dccp, sctp and gre are only used in code enabled by particular CONFIG_NF_CT_PROTO_* options. Wrap them in the checks for those options. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack.h | 6 ++ 1 file changed, 6 insertions(+) diff --git a/include/net/netfilter

[PATCH nf-next v2 28/30] netfilter: add IP_SET_BITMAP config option.

Add a hidden tristate option which is selected by all the IP_SET_BITMAP_* options. It will be used to wrap ip_set_bitmap.h. Signed-off-by: Jeremy Sowden --- net/netfilter/ipset/Kconfig | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset

[PATCH nf-next v2 22/30] netfilter: wrap inline timeout function in CONFIG_NETFILTER_TIMEOUT check.

nf_ct_timeout_data is only called if CONFIG_NETFILTER_TIMEOUT is enabled. Wrap its contents in a CONFIG_NETFILTER_TIMEOUT check like the other inline functions in nf_conntrack_timeout.h. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_timeout.h | 4 1 file changed, 4

[PATCH nf-next v2 24/30] netfilter: wrap some ipv6 tables code in a CONFIG_NF_TABLES_IPV6 check.

nft_set_pktinfo_ipv6_validate does nothing unless CONFIG_IPV6, and therefore by implication CONFIG_NF_TABLES_IPV6, is enabled. Wrap the calls in a CONFIG_NF_TABLES_IPV6 check. Signed-off-by: Jeremy Sowden --- net/netfilter/nft_chain_filter.c | 4 1 file changed, 4 insertions(+) diff

[PATCH nf-next v2 15/30] netfilter: move inline function to a more appropriate header.

There is an inline function in ip6_tables.h which is not specific to ip6tables and is used elswhere in netfilter. Move it into netfilter_ipv6.h and update the callers. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_ipv6.h| 12 include/linux/netfilter_ipv6

[PATCH nf-next v2 29/30] netfilter: add IP_SET_HASH config option.

Add a hidden tristate option which is selected by all the IP_SET_HASH_* options. It will be used to wrap ip_set_hash.h. Signed-off-by: Jeremy Sowden --- net/netfilter/ipset/Kconfig | 15 +++ 1 file changed, 15 insertions(+) diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter

[PATCH nf-next v2 27/30] netfilter: add NF_TPROXY config option.

Add a hidden tristate option which is select by NF_TPROXY_IPV4 and NF_TPROXY_IPV6. It will be used to wrap nf_tproxy.h. Signed-off-by: Jeremy Sowden --- net/ipv4/netfilter/Kconfig | 1 + net/ipv6/netfilter/Kconfig | 1 + net/netfilter/Kconfig | 3 +++ 3 files changed, 5 insertions

[PATCH nf-next v2 18/30] netfilter: use consistent style when defining inline functions in nf_conntrack_ecache.h.

(...) { ... } #endif Prefer the former style, which is more numerous. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_ecache.h | 82 + 1 file changed, 50 insertions(+), 32 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net

[PATCH nf-next v2 17/30] netfilter: move struct definition function to a more appropriate header.

There is a struct definition function in nf_conntrack_bridge.h which is not specific to conntrack and is used elswhere in netfilter. Move it into netfilter.h. Signed-off-by: Jeremy Sowden --- include/linux/netfilter.h | 7 +++ include/linux/netfilter_ipv6.h

[PATCH nf-next v2 25/30] netfilter: wrap some conntrack code in a CONFIG_NF_CONNTRACK check.

struct nf_conntrack_zone is only required if CONFIG_NF_CONNTRACK. Wrap its definition in a CONFIG_NF_CONNTRACK check. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/nf_conntrack_zones_common.h | 4 1 file changed, 4 insertions(+) diff --git a/include/linux/netfilter

[PATCH nf-next v2 12/30] netfilter: added missing includes.

Include some headers in files which use them. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_core.h | 3 ++- include/net/netfilter/nf_nat.h| 8 ++-- include/net/netfilter/nf_nat_masquerade.h | 1 + net/netfilter/nf_conntrack_ecache.c | 1 + net

[PATCH nf-next v2 19/30] netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...).

A few headers contain instances of: #if defined(CONFIG_XXX) or defined(CONFIG_XXX_MODULE) Replace them with: #if IS_ENABLED(CONFIG_XXX) Signed-off-by: Jeremy Sowden --- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set_getport.h | 2 +- include

[PATCH nf-next v2 10/30] netfilter: include the right header in nf_conntrack_zones.h.

nf_conntrack_zones.h includes nf_conntrack_extend.h, but it doesn't actually use anything from it. It does, however, require stuff from nf_conntrack.h which it includes transitively. Include nf_conntrack.h directly instead. Signed-off-by: Jeremy Sowden --- include/net/netf

[PATCH nf-next v2 30/30] netfilter: wrap headers in CONFIG checks.

in order to avoid having to update inclusions in other parts of the kernel. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/ipset/ip_set.h| 7 ++- include/linux/netfilter/ipset/ip_set_bitmap.h | 4 .../linux/netfilter/ipset/ip_set_getport.h| 4 include/linux

[PATCH nf-next v2 23/30] netfilter: wrap some nat-related conntrack code in a CONFIG_NF_NAT check.

nf_conntrack_update uses nf_nat_hook to do some nat stuff. However, it will only be not NULL if CONFIG_NF_NAT is enabled. Wrap the code in a CONFIG_NF_NAT check to skip it altogether. Signed-off-by: Jeremy Sowden --- net/netfilter/nf_conntrack_core.c | 4 1 file changed, 4 insertions

Re: [PATCH nf-next v2 00/30] Add config option checks to netfilter headers.

On 2019-09-04, at 21:05:35 +0200, Pablo Neira Ayuso wrote: > Thanks for working on this. Happy to help. > Could you squash a few of these patches to get a smaller patchset? Absolutely. > My suggestions: > > * Squash 01/30, 02/30 and 03/30, call this something like: "netfilter: > add missing i

[PATCH nf-next v3 07/18] netfilter: move inline function to a more appropriate header.

There is an inline function in ip6_tables.h which is not specific to ip6tables and is used elswhere in netfilter. Move it into netfilter_ipv6.h and update the callers. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_ipv6.h| 12 include/linux/netfilter_ipv6

[PATCH nf-next v3 06/18] netfilter: remove nf_conntrack_icmpv6.h header.

nf_conntrack_icmpv6.h contains two object macros which duplicate macros in linux/icmpv6.h. The latter definitions are also visible wherever it is included, so remove it. Signed-off-by: Jeremy Sowden --- .../net/netfilter/ipv6/nf_conntrack_icmpv6.h | 21 --- include/net

[PATCH nf-next v3 03/18] netfilter: remove unused function declarations.

Two headers include declarations of functions which are never defined. Remove them. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_ipv4/ip_tables.h | 2 -- include/linux/netfilter_ipv6/ip6_tables.h | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/include/linux

[PATCH nf-next v3 01/18] netfilter: fix include guards.

nf_conntrack_labels.h has no include guard. Add it. The comment following the #endif in the nf_flow_table.h include guard referred to the wrong macro. Fix it. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_labels.h | 11 --- include/net/netfilter/nf_flow_table.h

[PATCH nf-next v3 09/18] netfilter: move struct definition function to a more appropriate header.

There is a struct definition function in nf_conntrack_bridge.h which is not specific to conntrack and is used elswhere in netfilter. Move it into netfilter_bridge.h. Signed-off-by: Jeremy Sowden --- include/linux/netfilter_bridge.h| 7 +++ include/linux/netfilter_ipv6.h

[PATCH nf-next v3 02/18] netfilter: fix coding-style errors.

/netfilter/nf_conntrack_ecache.h. Remove them. Fix indentation in nf_conntrack_l4proto.h. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/x_tables.h | 2 +- include/linux/netfilter_ipv6.h | 2 +- include/net/netfilter/nf_conntrack_acct.h| 2 +- include/net

[PATCH nf-next v3 00/18] Remove config option checks from netfilter headers.

; * corrected placement of new NF_TPROXY config option. Jeremy Sowden (18): netfilter: fix include guards. netfilter: fix coding-style errors. netfilter: remove unused function declarations. netfilter: inline three headers. netfilter: update include directives. netfilter: remove

[PATCH nf-next v3 08/18] netfilter: move code between synproxy headers.

There is some non-conntrack code in the nf_conntrack_synproxy.h header. Move it to the nf_synproxy.h header. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_synproxy.h | 39 --- include/net/netfilter/nf_synproxy.h | 38 ++ 2 files

[PATCH nf-next v3 05/18] netfilter: update include directives.

Include some headers in files which require them, and remove others which are not required. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_core.h | 3 ++- include/net/netfilter/nf_conntrack_zones.h | 3 ++- include/net/netfilter/nf_nat.h | 13

[PATCH nf-next v3 04/18] netfilter: inline three headers.

Three netfilter headers are only included once. Inline their contents at those sites and remove them. Signed-off-by: Jeremy Sowden --- include/linux/netfilter/xt_hashlimit.h | 11 --- include/linux/netfilter/xt_physdev.h | 8 include/linux/netfilter_bridge/ebt_802_3

[PATCH nf-next v3 10/18] netfilter: use consistent style when defining inline functions in nf_conntrack_ecache.h.

(...) { ... } #endif Prefer the former style, which is more numerous. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_ecache.h | 82 + 1 file changed, 50 insertions(+), 32 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net

[PATCH nf-next v3 14/18] netfilter: move nf_conntrack code to linux/nf_conntrack_common.h.

Move some `struct nf_conntrack` code from linux/skbuff.h to linux/nf_conntrack_common.h. Together with a couple of helpers for getting and setting skb->_nfct, it allows us to remove CONFIG_NF_CONNTRACK checks from net/netfilter/nf_conntrack.h. Signed-off-by: Jeremy Sowden --- include/li

[PATCH nf-next v3 11/18] netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...).

A few headers contain instances of: #if defined(CONFIG_XXX) or defined(CONFIG_XXX_MODULE) Replace them with: #if IS_ENABLED(CONFIG_XXX) Signed-off-by: Jeremy Sowden --- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set_getport.h | 2 +- include

[PATCH nf-next v3 12/18] netfilter: wrap two inline functions in config checks.

CONFIG_NETFILTER_TIMEOUT is enabled. Wrap its contents in a CONFIG_NETFILTER_TIMEOUT check like the other inline functions in nf_conntrack_timeout.h. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_synproxy.h | 2 ++ include/net/netfilter/nf_conntrack_timeout.h | 4 2 files

[PATCH nf-next v3 17/18] netfilter: remove CONFIG_NF_CONNTRACK checks from nf_conntrack_zones.h.

Remove it. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_zones.h | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_zones.h b/include/net/netfilter/nf_conntrack_zones.h index 33b91d19cb7d..48dbadb96fb3 100644 --- a/i

[PATCH nf-next v3 18/18] netfilter: remove two unused functions from nf_conntrack_timestamp.h.

Two inline functions defined in nf_conntrack_timestamp.h, `nf_ct_tstamp_enabled` and `nf_ct_set_tstamp`, are not called anywhere. Remove them. Signed-off-by: Jeremy Sowden --- include/net/netfilter/nf_conntrack_timestamp.h | 16 1 file changed, 16 deletions(-) diff --git a

  1   2   >